From: tomli@tomli.me
To: Luca Beltrame <lbeltrame@kde.org>
Cc: wireguard@lists.zx2c4.com
Subject: Beware of udp2raw-tunnel (was: [HACK] UDP tunneling over TCP for WireGuard)
Date: Thu, 24 May 2018 09:20:04 +0800 [thread overview]
Message-ID: <20180524012004.GA2588@x220> (raw)
In-Reply-To: <2691203.H8StyC36JO@leon.lan>
[-- Attachment #1: Type: text/plain, Size: 1719 bytes --]
>> You can use this:
>> https://github.com/wangyu-/udp2raw-tunnel
>> instead of socat to avoid TCP over TCP effect.
> This is interesting . I'll give it a shot in the next few days and see how it
> fares (and report back).
This is a great project, but the last time I've looked into the code, showed some
serious problems, including hardcoding "iptables" commands and execute them as
root[0]. It also comes with an "encryption" scheme "authenticated" by plain MD5
in a MAC-then-encrypt basis, and never used HMAC[1], but still claims the encryption
provided a certain level of security... If the only purpose is traffic obfuscation,
why bother to have AES in the first place? But at least random number generation
has been done correctly, but instead of calling getrandom() or getentropy(), it
opens /dev/urandom with O_RDONLY, and read() some bytes[2]...
So, better compile the whole program with CFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-all
--param ssp-buffer-size=1 -fPIE" to get some protections. At least don't run the
program at root, it may break your system, set CAP_NET_RAW instead.
This much being said, I'm not blaming the developers, considering the fact that
the program probably involved from a weekend project and they did understand the
existence of problems[3].
If anyone is interested in this project, a refactoring or a re-implementation
is appreciated.
[0] https://github.com/wangyu-/udp2raw-tunnel/blob/master/misc.cpp#L1104
[1] https://github.com/wangyu-/udp2raw-tunnel/blob/master/encrypt.cpp#L278
[2] https://github.com/wangyu-/udp2raw-tunnel/blob/master/common.cpp#L48
[3] https://github.com/wangyu-/udp2raw-tunnel/blob/master/encrypt.cpp#L23
Tom Li
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 851 bytes --]
prev parent reply other threads:[~2018-05-24 1:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-18 11:55 [HACK] UDP tunneling over TCP for WireGuard Luca Beltrame
2018-04-18 15:55 ` Tim Sedlmeyer
2018-04-18 21:07 ` Matthias Urlichs
2018-04-18 16:36 ` Ximin Luo
[not found] ` <f47035e6-8940-7f24-6d13-f645a76bc3a7@juniorjpdj.pl>
2018-04-18 21:12 ` Luca Beltrame
2018-05-24 1:20 ` tomli [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180524012004.GA2588@x220 \
--to=tomli@tomli.me \
--cc=lbeltrame@kde.org \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).